A new wave of cyberattacks is stalking organisations across the UK, US, Canada, and Northern Ireland. According to the latest research from Forcepoint X-labs, attackers are impersonating the US Social Security Administration (SSA) to bypass security and take total control of private computers.
The report, which was shared with Hackread.com, reveals that the attack succeeds by weakening the system’s built-in defences rather than relying on complex new viruses.
Breaking the Alarms
It starts with an email that looks official but is riddled with red flags, like the fake domain SSA.COM and the misspelling of Statement as “eStatemet.” If a user falls for the bait and opens the attached .cmd script, the computer quietly begins to sabotage its own defences.
The X-labs team’s report noted that the script’s first job is to check for administrator powers using a technique called PowerShell auto-elevation. Once it has control, it kills Windows SmartScreen (the system that usually blocks suspicious apps from running) by modifying the computer’s registry. It also strips away the Mark-of-the-Web, a hidden digital tag Windows uses to identify files from the internet.
Further investigation revealed the script even uses Alternate Data Streams (ADS) to hide its tracks. Without these alerts, the hackers can perform a silent installation of an MSI file without a single warning appearing on the screen.
A Tool for Good, Used for Evil
Once the guards are down, the script performs a silent installation of ConnectWise ScreenConnect. In a normal office, this is a legitimate tool for IT support. However, here, hackers are weaponising it as a Remote Access Trojan (RAT) to maintain a permanent “backdoor” into the network. Researchers noted that the software is hardcoded via a System.config file to call back to a specific server:
- Port: 8041
- Address: dof-connecttop
- Location: The “Aria Shatel Company Ltd” network in Iran.
The attack uses a specific version of the software, 25.2.4.9229, which carries a revoked (cancelled) security certificate. As we know it, using a signed but cancelled certificate helps the malware look legitimate to some security tools.
It is worth noting that the hackers aren’t just looking for random files; they are specifically targeting high-value data sectors like government, healthcare, and logistics. The script even forces a restart of the Windows Explorer process to ensure these security changes take effect immediately.
This discovery highlights a growing trend where cybercriminals don’t bother writing new viruses; they simply hijack the very tools your IT department uses every day. The most effective way to stay protected, as per security experts, is to treat every unexpected government attachment as a potential threat to your network.
Deeba Ahmed
